Recently the IAB (Interactive Advertising Bureau) has released amendments to the CCPA agreement for compliance.
Targeted towards all Limited Service Provider Agreement (LSPA) signatories to update their registration information. Regarding the California Consumer Privacy Act (CCPA) which may have required some companies to sign the IAB Privacy Limited Service Provider Agreement (LSPA) to complete the compliance process. There has now been updates to this agreement just after a year in the market. This comes as the IAB have reviewed the regulations and market practices since the agreement was first released, giving them time to consider what needs to be updated.
One of the biggest changes being publisher obligations and the definition of “re-sale”. Current companies who signed the agreement will need to provide new information as part of their registration, which companies have had until May 7th 2021.
The updates to the LSPA are effective from May 7th 2021 and companies are expected to comply and adapt to these changes.
Let’s go over the notable changes since the first release of the CCPA IAB agreement:
Before the definition was a little ambiguous, the new revision includes an updated version. It states in a more clear way that “a Sale by a Downstream Participant after a Sale to such Downstream Participant by the Publisher Digital Property”, giving more emphasis on what is classed as a “Re-Sale”.
New changes now include different publisher notice obligations for when a consumer clicks a link.
A clear disclosure that Downstream Participants may Re-Sell the Consumer’s Personal Information that was Sold to them by the Publisher.
A clear disclosure that the Consumer has the right to Opt Out of the Re-Sale of the Consumer’s Personal Information. The publisher must now make this process more easier and accessible to the consumer, giving them a list of downstream participants where they can out-out from. This addition is what fulfils the provision of “explicit notice” under the CCPA for downstream participants.
Removal of the obligation to the “90-day look-back period” regarding Sales”. This was in the initial version of the LSPA but never adopted in the Final Text of Regulations, so it is now removed to make things more clear. Removal of various other obligations which are not relevant for notice required under the CCPA or its Regulations. Staying more aligned with the CCPA law.
New restrictions on re-selling personal information, the new agreement now states that for Non-Opt Out Transactions where the LSPA Transaction Signal is set to “Yes,” a Downstream Participant may Re-Sell Personal Information only if the Downstream Participant also provides a “Do Not Sell My Personal Information” link in accordance with the CCPA.
Changes to data deletion requests, as part of the new agreement, companies must now adds a representation and warranty that Signatories will implement the IAB Tech Lab’s specification for Data Deletion Requests.
No more requirements for IPDPs, now the definition of In Process Data Providers and all other references to this concept have been deleted.
The IAB organisation is providing a new streamlined web interface for this newly required registration. This interface also includes management features for companies who have signed the LSPA.
For current companies who have already registered, their data has been migrated to this new system. They should have received an email regarding this action welcoming them to the new system. From this interface, companies can manage their registration and provide links with evidence to their Opt-Out notice to support the amended notice obligations mentioned above.
Another important thing to note is there has also been an update to the US Privacy String.
Version 1-1.1 Stated (in summary): Publishers are required to send a Yes/No signal indicating if a publisher had provided explicit notice.
Version 1.2: Now states (in summary): The Yes/No signal for CCPA will now indicate if a Publisher has provided notice pursuant with providing the opportunity for a Consumer to Opt-Out of the Sale of their Personal Information.
You can find more about how UniConsent for CCPA Compliance works.
UniConsent is a part of Transfon's privacy-first User Experience Platform serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: firstname.lastname@example.org
Announcing GPP (Global Privacy Platform) API support in UniConsent CMP
IAB TCF Canada CMP: Support for IAB Canada’s Transparency and Consent Framework
EU Privacy Campaign Group filed a batch of warnings to websites with non-compliant cookie banners
Spain: Spanish DPA AEPD issues several fines for GDPR violations during June and July 2022
Czech Republic: the half year cookie compliance monitoring report from Czech DPA
TikTok: EU DPAs warn TikTok following announcement on the legal basis for targeted advertising